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Abstract. The concept of ring signature was introduced by Rivest, 
Shamir and Tauman. This signature is considered to be a simplified 
group signature from which identity of signer is ambiguous although 
verifier knows the group to which signer belong. In this paper we intro- 
duce a new proxy ring signature scheme. 1 
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1 Introduction 

Consider the following situation discussed by Zhang et al. in |10j - 

An entity delegate his signing capability to many proxies, called 
proxy signers set. Any proxy signer can perform the signing oper- 
ation of the original entity. These proxy signers want to sign mes- 
sages on behalf of the original entity while providing anonymity. 
Of course, this problem can be solved by group signature (Take the 
group manager as the original entity). But in some applications, it 
is necessary to protect the privacy of participants (we believe that 
unconditional anonymity is necessary in many occasions). If the 
proxies don't hope that some one (include the original signer) can 
open their identities, the group signature is not suitable in here 
(Because a group manager can open the signature to reveal the 
identity of the signer). 

To solve above problem proxy ring signature scheme was introduced by 
Zhang et al 10 . In this paper, we propose a new proxy ring signature 
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scheme based on Lin-Wu's [5] ID-based ring signature scheme from bi- 
linear pairing. As compared to previous scheme ^01 > our scheme is com- 
putationally more efficient, especially for the pairing operations required 
during signature verification. 

2 Preliminaries 

— Bilinear Pairings 

Let Gi cyclic additive group generated by P, whose order is a prime q, 
and G2 bea cyclic multiplicative group of the same order q: A bilinear 
pairing is a map e : Gi x Gi — ► G2 with the following properties: 
PI: Bilinear: e(aP,bQ) = e(P,Q) ab ; 

P2: Non-degenerate: There exists P, Q € Gi such that e(P,Q) 7^ 1; 
P3: Computable: There is an efficient algorithm to compute e(P,Q) 
for all P,Q e Gi. 

When the DDHP (Decision Diffie-Hellman Problem) is easy but the 
CDHP (Computational Diffie-Hellman Problem) is hard on the group 
G; we call G a Gap Diffie-Hellman (GDH) group. Such groups can 
be found on supersingular elliptic curves or hyperelliptic curves over 
finite field, and the bilinear parings can be derived from the Weil or 
Tate pairing. We can refer to |7|l()j for more details. 
Through this paper, we define the system parameters in all schemes 
are as follows: Let P be a generator of Gi; the bilinear pairing is given 
by e : Gi x Gi — * G2. Define two cryptographic hash functions 
Hi : {0, 1}* — » z q and H 2 : {0, 1}* — > G 2 . 

— Paring based short signature scheme (PBSSS) Boneh et al.'s 
pairing based short signature scheme is as follows- 

Key Generation Choose a random number s £ Z* and compute 
Ppub = sP where [G\, G2, q, P, Pp u bi H%) are public parameter and s 
is the secret key. 

Signing For a message m € 0, 1*, compute P m = H2{m) G G\,. Then 

S m = sP m is the signature on message m. 

Verification Check whether the following equation holds 

e(S m ,P) = e(H 2 (m),P Pub ) 

This scheme is proven to be secure against existential forgery on adap- 
tive chosen message attack (in random oracle model) assuming Com- 
putationally Diffie Hellman Problem is hard [H]. 



3 Proposed Scheme 



[Setup] The system parameters params = {Gi, G2, e, q, P, H±, H2} Let 
Alice be the original signer with public key PK Q = s Q P and private key s a , 
and L = {PSi} be the set of proxy signers with public key PK Pi = s Pi P 
and private key s Pi . 

[Proxy Key Generation] The original signer prepares a warrant w, 
which is explicit description of the delegation relation. Then he sends 
(w, s H2{w)) to the proxy group L. Each proxy signer uses his secret key 
S Pi to sign the warrant w and gets his proxy key Si = s H2(w)+s Pi H2(w). 
[Proxy Ring Signing]For signing any message m, the proxy signer PSi 
chooses a subset Lf C L. Proxy signers's public key is listed in L,. Now 
to sign he/ she perform following operations: 

— Initialization: Choose randomly an element A £ Gi, compute 

c k+1 = e(A,P) (1) 

— Generate forward ring sequence For i = k + l,k + 2, ....k + (n — 1) 
choose randomly T, G Gi and compute 

Ci+i = e(PK + PK Pz , Cl H 2 {w)) H ^ L) .e(Ti,P) (2) 

— Forming the ring: Let R n = R Q . Then, PSi computes 

Ti = A - h 2 {m || L)ciSi, (3) 



T = E^Ti (4) 

Output: Finally, Let c n = Co- The resulting ring signature for a 
message m and with ring member specified by Lf is the (n + 1)- 
tuple:(ci, c 2 , ...,Cn,T) 



[Verification] Given message m, its ring signature (c\, C2, c n , T), and 
the set Lf of the identities of all ring members, the verifier can check the 
validity of the signature by the testing if: 



ntiCi = e(PK + PK^Z^aH^f^M.eiT, P) (5) 



4 Performance and Security Discussion 



Key Secrecy In computing user Pj's private key Si from the correspond- 
ing public key PK Q + PKp i requires the knowledge of original signer's 
private key s a and proxy signer's private key s Pi . According to defini- 
tion these keys are protected under the intractability of DLP in G\ as 
PK a = So P and PK Pi = s p% P. 

Signer ambiguity In a valid proxy ring signature (ci, C2, c n , T) with 
proxy group L, generated by PSi all q's are computed by eq 2. Since 
Tj € G\ is chosen uniformly at random, each a is uniformly distributed 
over (?2- Thus, regardless who the actual signer is and how many ring 
members involved (ci, C2, c n ) biases to no specific ring member. 

5 Conclusion 

In this paper we proposed a new proxy ring signature which becomes 
needful whenever proxy signer want to sign message on behalf of the orig- 
inal signer providing anonymity. The proposed scheme is more efficient 
as compared with the Zhang et al.'s, especially for the pairing operation 
required in the signature verification. This proxy ring signature scheme 
is more efficient for those verifiers who have limited computing power. 
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